CyberSecurityNews

ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites


A large hacking campaign is sweeping across websites worldwide, turning ordinary content management systems into launchpads for attackers.

Small and medium sized businesses in Australia and beyond are finding their web servers quietly hijacked, often without obvious warning signs.

The scale of this operation has pushed the alert status to critical. At the center of this campaign is a familiar but dangerous tool called a webshell.

Once planted on a compromised server, a webshell gives attackers a hidden backdoor that lets them remotely control the site as if they were at the keyboard themselves.

From there, criminals can deface pages, steal login credentials, spread malware, or use the foothold to move deeper into a network.

Analysts and researchers from the Australian Signals Directorate’s Cyber Security Centre, known as ACSC, identified this campaign as it unfolded across a wide range of CMS platforms and plugins.

Their investigation found attackers are not relying on a single flaw but chaining together known vulnerabilities to maximize their reach.

The vulnerabilities being abused allow unauthenticated file uploads, remote code execution, server side request forgery, and unsafe deserialization.

Many already have public patches available, which makes the scale of exploitation even more concerning for owners who have not kept their software current.

ASD’s ACSC said in a report shared with Cyber Security News (CSN) that the campaign reflects a broader shift in how quickly attackers move from vulnerability disclosure to active exploitation.

The agency pointed to a recent joint statement from the Five Eyes cyber security agencies, warning that AI is accelerating the speed and scale of these operations.

ACSC Warns of Large-Scale CMS Exploitation Campaign

This exploitation wave spans a broad set of software. WordPress plugins such as Simple File List, WavePlayer, BerqWP, WPBookit, Ninja Forms, ThemeREX Addons, Breeze Cache, pay-uz, ACF Extended, Sneeit Framework, WPvivid Backup, Gravity Forms, and GutenKit or Hunk Companion have all been targeted, alongside standalone platforms like Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE.

Each tool carries its own tracked vulnerability, and attackers appear to be scanning the internet for any site running a vulnerable version. Once a weakness is found, a webshell is dropped into the file system, giving persistent remote access.

The compromised server can then be used for defacement, credential theft, malware distribution, or as a stepping stone into a larger network.

What makes this campaign notable is not any single new exploit but the breadth of the target list. Attackers are casting a wide net across CMS ecosystems rather than one platform, which increases the odds of finding an unpatched target somewhere in the mix.

ACSC has laid out clear steps for website owners who suspect they have been affected. The first priority is inspecting the CMS directory for unusual files and checking web access logs for suspicious requests aimed at known webshell paths.

Any server found running a webshell should be treated as fully compromised. That means isolating it, auditing authentication and network logs for signs of lateral movement, and tracing back through historical traffic to find how the breach happened.

Restoring from a clean, known good backup is recommended once the environment has been checked and patched.

Beyond incident response, ACSC also recommends longer term defensive habits. Keeping CMS software and plugins updated remains the most effective safeguard, since nearly all flaws being exploited already have fixes available.

Disabling a plugin the moment a vulnerability becomes public can close the window of exposure.

Configuring web directories as read only, restricting which files and paths can execute, and monitoring for unexpected child processes spawned by the web server can limit what a webshell can do even if one slips through.

Organizations are also encouraged to block unnecessary network paths between public facing websites and internal systems, reducing the chance a compromised site turns into a broader breach.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.



Source link